Could some more guidance be provided around how to use the explicit typing with nested JWTs?
I'd imagine that the "typ" header should be in the header of the JWT that is integrity protected by the issuer? On Tue, Jul 4, 2017 at 9:58 PM, Phil Hunt (IDM) <phil.h...@oracle.com> wrote: > +1 > > Thanks Mike. > > Phil > > On Jul 4, 2017, at 12:43 PM, Mike Jones <michael.jo...@microsoft.com> > wrote: > > The JWT BCP draft has been updated to describe the use of explicit typing > of JWTs as one of the ways to prevent confusion among different kinds of > JWTs. This is accomplished by including an explicit type for the JWT in > the “typ” header parameter. For instance, the Security Event Token (SET) > specification <http://self-issued.info/?p=1709> now uses the “ > application/secevent+jwt” content type to explicitly type SETs. > > > > The specification is available at: > > - https://tools.ietf.org/html/draft-sheffer-oauth-jwt-bcp-01 > > > > An HTML-formatted version is also available at: > > - http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-01.html > > > > -- Mike > > > > P.S. This notice was also posted at http://self-issued.info/?p=1714 and > as @selfissued <https://twitter.com/selfissued>. > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > -- *CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.*
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
